CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Sitecore Experience Platform Exploit Chain Enabling Remote Code Execution

First reported
Last updated
πŸ“° 4 unique sources, 5 articles

Summary

Hide β–²

An exploit chain has been identified in the Sitecore Experience Platform, combining cache poisoning and remote code execution vulnerabilities. The chain leverages four new flaws (CVE-2025-53693, CVE-2025-53691, CVE-2025-53694, CVE-2025-53690) to achieve unauthorized access and code execution. The exploit chain involves HTML cache poisoning through unsafe reflections and insecure deserialization, potentially leading to full compromise of Sitecore instances. The vulnerabilities were disclosed by watchTowr Labs and patches were released by Sitecore in June and July 2025. Additionally, a new zero-day vulnerability (CVE-2025-53690) was exploited by threat actors to deliver malware and perform extensive internal reconnaissance. The attackers targeted the '/sitecore/blocked.aspx' endpoint to achieve remote code execution and executed reconnaissance commands including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. The vulnerability is a ViewState deserialization flaw under active exploitation in the wild, affecting several Sitecore products including Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. The attack leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. CISA has ordered immediate patching of the vulnerability by September 25, 2025. The wider impact of the vulnerability has not yet surfaced, but it is expected to do so.

Timeline

  1. 05.09.2025 19:08 πŸ“° 1 articles Β· ⏱ 11d ago

    CISA orders immediate patching of CVE-2025-53690 by September 25, 2025

    CISA has ordered immediate patching of the vulnerability by September 25, 2025. The vulnerability arises from the use of a static ASP.NET machine key that was publicly disclosed in product documentation. Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. The blast radius of the vulnerability remains unknown, but it exhibits characteristics of severe vulnerabilities. The wider impact of the vulnerability has not yet surfaced, but it is expected to do so.

    Show sources
    Open in new tab
  2. 05.09.2025 01:05 πŸ“° 1 articles Β· ⏱ 11d ago

    Mandiant disrupts active exploitation of CVE-2025-53690

    Mandiant Threat Defense successfully disrupted an active ViewState deserialization attack affecting Sitecore deployments. The attack leveraged a sample machine key exposed in older Sitecore deployment guides. The disruption prevented the full attack cycle from being observed, but it highlights the ongoing risk of ViewState attacks.

    Show sources
    Open in new tab
  3. 04.09.2025 11:46 πŸ“° 4 articles Β· ⏱ 12d ago

    Threat actors exploit CVE-2025-53690 to deliver WeepSteel malware

    The attack was disrupted by Mandiant Threat Defense, preventing the full attack cycle from being observed. The article discusses the broader context of ViewState vulnerabilities, including recent attacks on other platforms and the potential for maintaining persistence on compromised servers. The /sitecore/blocked.aspx page is a legitimate Sitecore component that can be exploited for deserialization attacks. The attackers demonstrated a deep understanding of the compromised product and the exploited vulnerability. The attackers progressed from initial server compromise to privilege escalation. The attackers used the vulnerability to achieve initial compromise of the internet-facing Sitecore instance. The attackers deployed a combination of open-source and custom tools to facilitate reconnaissance, remote access, and Active Directory reconnaissance.

    Show sources
    Open in new tab
  4. 29.08.2025 20:22 πŸ“° 4 articles Β· ⏱ 18d ago

    Exploit chain in Sitecore Experience Platform disclosed

    The exploit chain affects several Sitecore products, including Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. The vulnerability is a ViewState deserialization flaw under active exploitation in the wild. The attack leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The attackers used WEEPSTEEL malware, which borrows functionality from ExchangeCmdPy.py. The attackers created local administrator accounts named asp$ and sawadmin. The attackers dumped SAM/SYSTEM hives to obtain administrator credentials. The attackers used EarthWorm for network tunneling, DWAgent for persistent remote access, and SharpHound for Active Directory reconnaissance. The attackers used GoTokenTheft for token impersonation and command execution. The attackers removed previously created accounts after compromising other admin users. The attackers used Remote Desktop Protocol (RDP) for lateral movement. The attackers established a foothold, escalated privileges, maintained persistence, and conducted internal network reconnaissance. The attackers leveraged the vulnerability to deploy open-source and custom tools for reconnaissance, remote access, and Active Directory reconnaissance.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phoenix Rowhammer attack bypasses DDR5 Rowhammer defenses

A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.

Open in new tab

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Open in new tab

Akira Ransomware Group Exploits SonicWall SSL VPN Flaws

The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.

Open in new tab

Cursor AI editor autoruns malicious code in repositories

A flaw in the Cursor AI code editor allows malicious repositories to execute arbitrary code automatically when opened. This vulnerability can lead to malware installation, environment hijacking, and credential theft. Cursor, an AI-powered IDE based on Visual Studio Code, disables the Workspace Trust feature by default, allowing this behavior. The flaw affects one million users who generate over a billion lines of code daily. Cursor developers have decided not to fix the issue, citing the need to maintain AI and other features. The vulnerability is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding and reasoning agents, which can embed malicious instructions to perform harmful actions or leak data.

Open in new tab

Microsoft September 2025 Patch Tuesday fixes 81 vulnerabilities, including two zero-days

Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.

Open in new tab